From 6d42ecdced5c2ac02c5094b4dfbd9ea5c4dd069e Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 20 Jan 2024 01:59:58 +0100
Subject: apps/whawty/auth: almost done

---
 roles/apps/whawty/auth/defaults/main.yml           |  26 +++++
 roles/apps/whawty/auth/instance/tasks/main.yml     | 127 +++++++++++++--------
 .../whawty/auth/instance/templates/pod-spec.yml.j2 |  12 +-
 .../apps/whawty/auth/instance/templates/web.yml.j2 |  13 +--
 4 files changed, 120 insertions(+), 58 deletions(-)
 create mode 100644 roles/apps/whawty/auth/defaults/main.yml

(limited to 'roles/apps/whawty')

diff --git a/roles/apps/whawty/auth/defaults/main.yml b/roles/apps/whawty/auth/defaults/main.yml
new file mode 100644
index 00000000..a7f2dea8
--- /dev/null
+++ b/roles/apps/whawty/auth/defaults/main.yml
@@ -0,0 +1,26 @@
+---
+# whawty_auth_instances:
+#   test:
+#     version: 0.2-rc9
+#     port: 3080
+#     store:
+#       default: 1
+#       params:
+#       - id: 1
+#         argon2id:
+#           time: 1
+#           memory: 65536
+#           threads: 4
+#           length: 32
+#     sync:
+#       port: 3022
+#       authorized_keys:
+#       - ssh-ed25519 ...
+#     storage:
+#       type: ...
+#     publish:
+#       zone: "{{ apps_publish_zone__foo }}"
+#       hostnames:
+#       - passwd.example.com
+#       tls:
+#         certificate_provider: ...
diff --git a/roles/apps/whawty/auth/instance/tasks/main.yml b/roles/apps/whawty/auth/instance/tasks/main.yml
index a5872839..1e2f6c0d 100644
--- a/roles/apps/whawty/auth/instance/tasks/main.yml
+++ b/roles/apps/whawty/auth/instance/tasks/main.yml
@@ -1,10 +1,12 @@
 ---
-## TODO: add storage handling!
-- set_fact:
-    whawty_auth_instance_basepath: "/srv/whawty/{{ whawty_auth_instance }}"
-##
+- name: prepare storage volume
+  vars:
+    storage_volume: "{{ whawty_auth_instances[whawty_auth_instance].storage }}"
+  include_role:
+    name: "storage/{{ whawty_auth_instances[whawty_auth_instance].storage.type }}/volume"
 
-## TODO: custom user
+- set_fact:
+    whawty_auth_instance_basepath: "{{ storage_volume_mountpoint }}"
 
 - name: create instance config directory
   file:
@@ -25,47 +27,47 @@
     mode: 0400
     owner: app
 
-- name: set up tls config
-  when: "'tls' in whawty_auth_instances[whawty_auth_instance]"
-  block:
-  - name: create tls directory
-    file:
-      path: "{{ whawty_auth_instance_basepath }}/config/tls"
-      state: directory
-      mode: 0500
-      owner: app
+- name: create instance tls directory
+  file:
+    path: "{{ whawty_auth_instance_basepath }}/tls"
+    state: directory
+    owner: app
+    mode: 0500
 
-  - name: generate/install/fetch TLS certificate
-    vars:
-      x509_certificate_name: "whawty-auth-{{ whawty_auth_instance }}"
-      x509_certificate_hostnames: "{{ whawty_auth_instances[whawty_auth_instance].hostnames }}"
-      x509_certificate_renewal:
-        install:
-        - dest: "{{ whawty_auth_instance_basepath }}/config/tls/cert.pem"
-          src:
-          - fullchain
-          mode: "0400"
-          owner: app
-        - dest: "{{ whawty_auth_instance_basepath }}/config/tls/key.pem"
-          src:
-          - key
-          mode: "0400"
-          owner: app
-        reload: |
-          pod_id=$(crictl pods -q --state ready --name "^whawty-auth-{{ whawty_auth_instance }}-{{ ansible_nodename }}$")
-          [ -n "$pod_id" ] || exit 0
-          container_id=$(crictl ps -q --name '^app$' -p "$pod_id")
-          [ -n "$container_id" ] || exit 0
-          crictl stop "$container_id"
-    include_role:
-      name: "x509/{{ whawty_auth_instances[whawty_auth_instance].tls.certificate_provider }}/cert"
+- name: generate/install TLS certificates for publishment
+  vars:
+    x509_certificate_name: "whawty-auth-{{ whawty_auth_instance }}_publish"
+    x509_certificate_hostnames: []
+    x509_certificate_config:
+      ca: "{{ whawty_auth_instances[whawty_auth_instance].publish.zone.certificate_ca_config }}"
+      cert:
+        common_name: "whawty-auth-{{ whawty_auth_instance }}"
+        extended_key_usage:
+        - serverAuth
+        extended_key_usage_critical: yes
+        create_subject_key_identifier: yes
+        not_after: +100w
+    x509_certificate_renewal:
+      install:
+      - dest: "{{ whawty_auth_instance_basepath }}/tls/publish-crt.pem"
+        src:
+        - fullchain
+        owner: app
+        mode: "0444"
+      - dest: "{{ whawty_auth_instance_basepath }}/tls/publish-key.pem"
+        src:
+        - key
+        owner: app
+        mode: "0400"
+  include_role:
+    name: "x509/{{ whawty_auth_instances[whawty_auth_instance].publish.zone.certificate_provider }}/cert"
 
-  - name: generate app web config
-    template:
-      src: web.yml.j2
-      dest: "{{ whawty_auth_instance_basepath }}/config/web.yml"
-      mode: 0400
-      owner: app
+- name: generate app web config
+  template:
+    src: web.yml.j2
+    dest: "{{ whawty_auth_instance_basepath }}/config/web.yml"
+    mode: 0400
+    owner: app
 
 - name: set up sync config
   when: "'sync' in whawty_auth_instances[whawty_auth_instance]"
@@ -104,9 +106,7 @@
   vars:
     whawty_auth_instance_config_hash_items__yaml: |
       - path: "{{ whawty_auth_instance_basepath }}/config/store.yml"
-      {% if 'tls' in whawty_auth_instances[whawty_auth_instance] %}
       - path: "{{ whawty_auth_instance_basepath }}/config/web.yml"
-      {% endif %}
       {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %}
       - path: "{{ whawty_auth_instance_basepath }}/sync/authorized_keys"
       - path: "{{ whawty_auth_instance_basepath }}/sync/group"
@@ -121,3 +121,38 @@
       config_hash_items: "{{ whawty_auth_instance_config_hash_items__yaml | from_yaml }}"
   include_role:
     name: kubernetes/standalone/pod
+
+- name: configure nginx vhost for publishment
+  vars:
+    nginx_vhost__yaml: |
+      {% if whawty_auth_instances[whawty_auth_instance].publish.zone.publisher == inventory_hostname %}
+      name: "whawty-auth-{{ whawty_auth_instance }}"
+      {% else %}
+      name: "whawty-auth-{{ whawty_auth_instance }}-{{ inventory_hostname }}"
+      {% endif %}
+      template: generic
+      {% if 'tls' in whawty_auth_instances[whawty_auth_instance].publish %}
+      tls:
+        {{ whawty_auth_instances[whawty_auth_instance].publish.tls | to_nice_yaml(indent=2) | indent(2) }}
+      {% endif %}
+      hostnames:
+      {% for hostname in whawty_auth_instances[whawty_auth_instance].publish.hostnames %}
+      - {{ hostname }}
+      {% endfor %}
+      locations:
+        '/':
+      {% if whawty_auth_instances[whawty_auth_instance].publish.zone.publisher == inventory_hostname %}
+          proxy_pass: "https://127.0.0.1:{{ whawty_auth_instances[whawty_auth_instance].port }}"
+      {% else %}
+          proxy_pass: "https://{{ ansible_default_ipv4.address }}:{{ whawty_auth_instances[whawty_auth_instance].port }}"
+      {% endif %}
+          proxy_ssl:
+            trusted_certificate: "/etc/ssl/apps-publish-{{ whawty_auth_instances[whawty_auth_instance].publish.zone.name }}/apps-publish-{{ whawty_auth_instances[whawty_auth_instance].publish.zone.name }}-ca-crt.pem"
+            verify: "on"
+            name: "whawty-auth-{{ whawty_auth_instance }}"
+            protocols: "TLSv1.3"
+    nginx_vhost: "{{ nginx_vhost__yaml | from_yaml }}"
+  include_role:
+    name: nginx/vhost
+    apply:
+      delegate_to: "{{ whawty_auth_instances[whawty_auth_instance].publish.zone.publisher }}"
diff --git a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
index b264577d..50f8e0c2 100644
--- a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
+++ b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
@@ -11,14 +11,15 @@ containers:
   - "run"
   - "--web-addr"
   - ":{{ whawty_auth_instances[whawty_auth_instance].port }}"
-{% if 'tls' in whawty_auth_instances[whawty_auth_instance] %}
   - "--web-config"
   - "/config/web.yml"
-{% endif %}
   volumeMounts:
   - name: config
     mountPath: /config
     readOnly: true
+  - name: tls
+    mountPath: /tls
+    readOnly: true
   - name: store
     mountPath: /store
   env:
@@ -28,6 +29,9 @@ containers:
   ports:
   - containerPort: {{ whawty_auth_instances[whawty_auth_instance].port }}
     hostPort: {{ whawty_auth_instances[whawty_auth_instance].port }}
+{% if whawty_auth_instances[whawty_auth_instance].publish.zone.publisher == inventory_hostname %}
+    hostIP: "127.0.0.1"
+{% endif %}
 {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %}
 - name: sync
   image: "ghcr.io/whawty/auth/sync:v{{ whawty_auth_instances[whawty_auth_instance].version }}"
@@ -49,6 +53,10 @@ volumes:
   hostPath:
     path: "{{ whawty_auth_instance_basepath }}/config"
     type: Directory
+- name: tls
+  hostPath:
+    path: "{{ whawty_auth_instance_basepath }}/tls"
+    type: Directory
 - name: store
   hostPath:
     path: "{{ whawty_auth_instance_basepath }}/store"
diff --git a/roles/apps/whawty/auth/instance/templates/web.yml.j2 b/roles/apps/whawty/auth/instance/templates/web.yml.j2
index 705e056d..d7f35f2e 100644
--- a/roles/apps/whawty/auth/instance/templates/web.yml.j2
+++ b/roles/apps/whawty/auth/instance/templates/web.yml.j2
@@ -1,13 +1,6 @@
 ---
 tls:
-  certificate: /config/tls/cert.pem
-  certificate-key: /config/tls/key.pem
-  min-protocol-version: "TLSv1.2"
-  ciphers:
-  - ECDHE_RSA_WITH_AES_128_GCM_SHA256
-  - ECDHE_RSA_WITH_AES_256_GCM_SHA384
-  - ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-  - TLS_AES_128_GCM_SHA256
-  - TLS_AES_256_GCM_SHA384
-  - TLS_CHACHA20_POLY1305_SHA256
+  certificate: /tls/publish-crt.pem
+  certificate-key: /tls/publish-key.pem
+  min-protocol-version: "TLSv1.3"
   prefer-server-ciphers: true
-- 
cgit v1.2.3